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Abstract 

Proof-of-work (PO W) schemes h ave been proposed in the past. One prominent 
system is HASHCASH fBackV2002'] which uses cryptographic puzzles . However, 
work bv iLaurie and C lavton |2004] has shown that for a uniform proof-of-work 
scheme on email to have an impact on SPAM, it would also be onerous enough 
to impact on senders of "legitimate" email. 1 suggest that a non-uniform proof-of- 
work scheme on email may be a solution to this problem, and describe a frame- 
work that has the potential to limit SPAM, without unduly penalising legitimate 
senders, and is constructed using only current SPAM filter technology, and a small 
change to the SMTP (Simple Mail Transfer Protocol). Specifically, 1 argue that it is 
possible to make sending SPAM 1,000 times more expensive than sending "legiti- 
mate" email (so called HAM). Also, unlike the system proposed bv lLiu and CampI 
l2006ll . it does not require the complications of maintaining a reputation system. 



1 Introduction 



1.1 A Brief Introduction To Proof-Of-Work As A SPAM Counter 
Measure 

Proof-of-Work (POW) systems were sugges ted as a counter measure to junk email 
(SPAM) as early as 1992 [Dwork and N aoi r ll993ll. and the concept has been redis 



covered and developed since then e.gTl ^vest and S lamiii 1996 Rivest et all 
Mcobsson and Juels, 1999', 'Back', '2002'. lOwork et all l2002l IWang and Reiter , 
Abadi et al., 2005. loannidis et al., 2005,1 . 
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In simple terms a POW system uses a puzzle challenge that is hard to solve, but 
easy to verify. The solution to the puzzle is presented to the receiving email server as 
proof of having completed a certain amount of work. The intention is that this will 
limit the number of messages that a Spammer can send per unit time. When applied 
to all email messages, I call the scheme a Uniform Cost Proof Of Work Scheme. That 
is, the computational burden is equal for every message, whether it is wanted by the 
recipient (HAM), or unwanted by the recipient (SPAM). 

In reality, due to differences in computational capacity (CPU speed) of mail servers, 
the burden is not uniform. These differences can be great, probably around two orders 
of magnitude between the fastest and slowest computers that send email. However, the 
difference between the fastest and slowest random access memories are much less than 
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the difference between the fastest and slowest CPUs. Classes of puzzles have been 
suggested that use this property to keep the burden a s uniform as possible, to reduce 
the performance difference to a factor of less than five lAbadi et alj i2005il . This would 
seem to be a reasonable achievement. 



1.2 Problems With Uniform-Cost Proof-Of-Work As A SPAM Counter 
Measure 

Assuming for the moment, then, that (approximately) Uniform-Cost Proof-of-Work 
systems exist, we turn to the problems they face. The following is a list of problems 
with Uniform-Cost Proof-o f-Work systems that, with th e ex ception of messa ge latency. 



are drawn from the work of iLaurie and ClavtonI 0200411 and lKrawetj 11200411 : 



1.2.1 Message Latency 

By applying a computational delay to every message, the impUed real-time delivery se- 
mantic of email is broken. This makes a Uniform-Cost Proof-of-Work scheme socially 
unattractive. 



1.2.2 Inequitable Burden 

The problem of inequitable burden of pro of-of-work schemes due to server speed has 
already been mentioned, and even though lAbadi et al.l 12005 *1 showed how to reduce 
the margin to less than five-fold, that is still a significant inequality. 



1.2.3 Mailing Lists 

Mailing lists send a great many messages. If each recipient invoked a uniform email 
proof-of-work burden, then large mailing lists would become expensive, if not imprac- 
tical. That is, the indiscriminate nature of the proof-of-work scheme causes mailing 
lists to be impacted to the same degree as a Spammer who sends the same quantity of 
messages. 



1.2.4 Robot Armies 

Moreover, because many Spammer control hundreds of thousands of compromised 
computers around the world, it would seem that Spammer have access to much larger 
CPU resources than most legitimate senders. Thus a uniformly applied proof-of-work 
scheme on email may actually hurt legitimate senders more than it hurts Spammer 
Also, Spammer are able to maintain legitimate CPU resources, further compounding 
the problem. 



1.2.5 Summary 

To summarise, we discover what iLaurie and ClavtonI ll2004ll have established from a 
theoretical perspective, that for any uniform email proof-of-work scheme to be suffi- 
cient to reduce SPAM (assuming 2004 levels of roughly equal SPAM and HAM), then 
the several percent of legitimate email senders who send relatively many email mes- 
sages will be prevented from doing so. In other words, a Uniform-Cost Proof-of-Work 
scheme, regardless of the quality of the algorithms it uses, cannot succeed, precisely 
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because it burdens SPAM and HAM uniformly. Therefore, if Proof-of- Work is to work, 
it cannot be with a Uniform-Cost model. 



1.3 Introducing Targeted-Cost Proof-Of-Work As A Feasible SPAM 
Counter Measure 

Having argued that a Uniform-Cost Proof-of-Work scheme cannot succeed, I suggest 
that Proof-of-Work schemes, generally, are not fatally flawed. Note that for every 
objection in the previous text, that the problem is the indiscriminate application of a 
uniform burden on all email messages. The logical alternative is to apply the burden on 
a more intelligent basis. An ideal implementation would place no burden on legitimate 
messages (HAM), and an infinite and unavoidable burden on SPAM. Such a system 
would immediately, by definition, stop all SPAM — unfortunately this result cannot be 
produced with current technology. 

While we have no 100% accurate method to discriminate HAM and SPAM, we do 
have effective heuristic email classification systems, such as SpamAssassirQ, CRMl l41 
and many others. Thus, by using the judgements of an existing SPAM filter, as to the 
probability of a given message being SPAM, it is possible to dynamically determine 
the burden to apply to that message. That is, we can still place the vast majority of 
the burden on Spammers, with the precise proportion determined by the quality of the 
SPAM filters. As with previous Proof-of-Work schemes, the work would take the form 
of solving a specially created cryptographic puzzle with the desired degree of difficulty. 

Such a scheme has a subtle but important difference to just using SPAM filters 
alone: The failure mode for falsely classifying HAM as SPAM is more robust, as the 
delivery of an incorrectly classified message is only resisted, instead of being refused. 
For example, it would be unrealistic to configure a SPAM filter to reject messages that 
are only 5% likely to be SPAM, even though that may be the threshold required to reject 
practically all SPAM. However, it is completely reasonable to resist the delivery of 
messages that are 5% likely to be SPAM. I call this method of the selective application 
of a Proof-of-Work scheme Targeted-Cost Proof-of-Work. 

This assumes that all computers can perform the work required by a Proof-of-Work 
scheme at a uniform rate. But computers vary in speed. Fortunately, if both small hand 
held devices and super-computers are excluded from consideration (this seems reason- 
able, since few legitimate mail senders use hand held devices, and few spammers have 
sustained access to super computers), most computers connected to the Internet vary 
in clock speed by no more than about one order of magnitude. Also, research has been 
conducted into creating problems that are limited by a computers random access mem 



ory speed, which is a qu antity that varies much less than CPU speed jPwork et al. 



20021 lAbadi et all 1200511 . Moreover, there seems to be no reason to suggest that the 
average computer being used to send SPAM will be much faster than the average com- 
puter being used to send legitimate email. Thus, the system 

Some SPAM filters have demonstrated >99.9% accuracjQ. Therefore, by using 
SPAM filters to inform a Targeted-Cost Proof-of-Work scheme, it should be possible 
to correctly resist 99.9% of SPAM, but only resist 0.1% of HAM. Thus Spammers are 
burdened almost 1,000 times more per message, on average, than legitimate senders. 

By shifting the vast majority of the computation burden from legitimate senders 



'HTTP://spamassassin. apache. org/ 
^HTTP://crml 14.sourceforge.net/ 
^HTTP://crml 14.sourceforge.net/ 
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to Spammers, Proof-of-Work should be feasible. Consider the calculations presented 
bv lLaurie and ClavtonI 1200411 that showed how a Uniform-Cost Proof-of-Work scheme 
would hu rt legitimate send ers who send more than 250 emails per day. The graph pre- 
sented by lLaurie and Clay ton |2004] suggests that 1.56% of legitimate senders would 
fall into this category. If the cost to send (on average) were reduced by a factor of 1,000, 
then legitimate senders could send of the order of 250,000 messages per computer per 
day, while still limiting Spammers to of the order of 250 messages per computer per 
day. 

Moreover, if the advantage is 1,000 times, then some legitimate sending capacity 
can be sacrificed to further limit the sending of SPAM. I suggest that a Targeted-Cost 
Proof-of-Work scheme require proof of approximately 1 hour of work for messages 
suspected of being SPAM (assuming 99.9% accurate classification). In that case, le- 
gitimate senders could deliver about 24,000 messages per computer per day, while 
Spammers would be limited to only 24 messages per computer per day. Assuming that 
Spammers have about 10 million computers at their disposal, this would limit daily 
spam volumes to only 24 million messages per day — about one SPAM for every 
twenty Internet users. 

If the system is detuned to accommodate a SPAM classifier that is less accurate, 
then the advantage would be reduced, either by limiting the daily capacity of legitimate 
senders, or by allowing Spammers to send more SPAM, or perhaps a combination of 
the two. 

Even a classification accuracy of only 95% gives a 20:1 advantage to HAM over 
SPAM, which would allow legitimate senders to deliver several thousand messages per 
computer per day, while limiting Spammers to only a couple of hundred messages per 
computer per day. These lim its should accommodate practically all legitimate senders 
(ILaurie and ClavtonI ll2004ll suggest that fewer than 0.1% of users send more than a 
couple of thousand email messages per day), while limiting SPAM to similar volumes 
as HAM (since th e vast majority of legitimate senders send many fewer messages per 
day (according to iLaurie and ClavtonI 1200411 . the median is about 90 messages per 
day). 

On balance, requiring about an hour of work for each suspected SPAM seems rea- 
sonable, as it severely limits SPAM delivery capacity, while not burdening legitimate 
senders too much: If SPAM filter accuracy of 99.9% is sustainable, then a cost of 1 
hour applies to only 0. 1 % of legitimate email, giving an average delivery cost of only 
3.6 seconds. 

Moreover, as will be described below; a) legitimate bulk senders can act to reduce 
their burden; and b) it is possible for each receiving mail server to configure this be- 
haviour independently, reflecting the accuracy of their SPAM filters, or to satisfy local 
policy. That is, a Targeted-Cost Proof-of-Work scheme can improve the HAM to SPAM 
advantage somewhat beyond what is immediately apparent. However, there are risks 
that must be managed. 



2 Managing Risks 

2.1 Variable SPAM Filter Performance 

The effectiveness of a Targeted-Cost Proof-of-Work system is proportional to the ac- 
curacy of the SPAM filter that underlies it. But SPAM filters differ in accuracy from 
site to site. Some of this variability could be fixed if all sites used the current best 
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SPAM filter software. However, some variability is due to the kind of email that sites 
receive (consider the difference between what staff at a marketing company, a SPAM 
researcher, and staff at a medical centre would consider SPAM and HAM, and also the 
difference between the kinds of messages they might receive). 

Fortunately, a Targeted-Cost Proof-of-Work system need not consider these issues. 
This is because the receiving mail server specifies whether to resist delivery of a mes- 
sage, and what the level of resistance is. The local message administrator can tune the 
threshold at which the resistance applies, and the level of the resistance (perhaps in- 
troducing a sliding resistance scale based on the spamminess of a message, and white 
Usts of senders who are never resisted). Therefore each mail server can optimise the 
system to minimise the amount of SPAM that is delivered, without unduly burdening 
legitimate senders. 

2.2 When Delivery Of Legitimate Mail Is Too Expensive 

This leads to an important issue: What happens when a receiving mail server imposes 
a burden that a legitimate sender is not willing to meet? This is the one failure mode 
that is undesirable (SPAM that is accepted is less of a problem, because the receiving 
mail server may still discard the message or mark it as SPAM, even after it has been 
accepted from the sender). Ideally, the sending mail server should alert the user that 
their message was not delivered because it was too spammy. The user could then re- 
draft and re-send the message. Alternatively, they could send a fresh message to the 
recipient asking to be added to their receiving mail servers white Ust so that future 
messages will not be resisted. 

2.3 Senders Of "Pressed HAM" (PHAM) 

A related problem is legitimate senders who send messages that are, perhaps unavoid- 
ably, spammy. I call such messages Pressed HAM (or PHAM for short) — they are 
not quite SPAM, but like Pressed HAM, they are not as palatable as real HAM. Many 
solicited advertisements and business newsletters would fall into this category. First, it 
is observed that business senders are the group most able to meet the deUvery burden, 
assuming that they have a sound and profitable business model. Secondly, the resis- 
tance to delivery creates an economic incentive for such senders to avoid some of the 
evils of PHAM. Much PHAM can be rendered more palatable by including a link to 
the information, rather than hundreds of kilobytes of HTML and images. 

2.4 Mailing Lists 

Mailing lists are relatively straight forward: A correctly configured mailing list, that 
carries HAM, will not be greatly penalised. In contrast, if a Spammer uses a maihng 
Ust to attempt to deliver SPAM to a broad audience, then resistance will be applied 
to most deliveries. To alleviate this, and to reduce resource requirements, a mailing 
hst could refuse to deliver messages that invoke too much resistance during dehvery 
(and alert the sender of this). This may seem severe, however, some existing mailing 
list providers already implement similarly harsh policies, e.g., never re-trying delivery 
after a temporary failure. 
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2.5 Leaking SPAM Filter Information To Spammers 



Because the resistance is selectively applied to SPAM, it is possible that Spammers 
may try submitting successive refinements of their messages to a given mail server in 
order to try to reduce the spamminess of the message, and so avoid encountering resis- 
tance during delivery. To mitigate this risk, it is recommended that in practise a mail 
server use a single degree of resistance: Either delivery is resisted, or it is not. If grad- 
uated resistance is absolutely required, the more coarsely grained the graduation, the 
better. The level of resistance could include a random factor to make it more difficult 
to reverse engineer HAM flavoured SPAM. Having had said this, a finely graduated 
resistance scheme makes a lot of sense, in that it encourages senders to reduce the 
overall spamminess of their messages, and provides a more graceful failure mode for 
misclassification of messages. Therefore we briefly consider the likely impact of using 
a graduated resistance scheme. 

Regardless of the resistance scheme that is applied, the impact of any leaked infor- 
mation about the SPAM filter must be considered. There are two possible scenarios: 1) 
There are few distinct SPAM filters; or 2) There are many distinct SPAM filters. 

If there are few distinct SPAM filters, then the information leaked by mail servers 
is already available to Spammers, because it is feasible for them to run their message 
through each and (much more easily) minimise the spamminess of their message. Al- 
ternatively, there are too many SPAM filters for a Spammer to do this. In that case, it 
seems reasonable to assume that minimising the spamminess of a message against any 
one filter will be of only limited value, as other filters will target different message fea- 
tures. Moreover, there are characteristics of a message that a Spammer cannot readily 
change, such as the IP address they are sending from. Thus the task of reducing the 
spamminess of a given message sufficient to avoid widespread classification as SPAM 
is particularly difficult. 

However, let us be pessimistic, and assume that a Spammer does come up with a 
process that enables them, by repeated submission of a message, reduce its spamminess 
sufficient to avoid resistance during delivery. In that situation it is possible to use a "sin 
bin", that blocks delivery when this anti-social behaviour is observed, e.g., repeatedly 
declining to meet the delivery burden imposed on a message. Hosts in the sin bin may 
not submit any more mail until a timeout elapsefl 

However, even if it were possible to minimise the spamminess of a message by 
repeated submission, the repeated delivery attempts would multiply the network band- 
width required to deliver each message, thus reducing the amount of SPAM that can be 
send per unit time. Therefore, the effects of any information leaked via a Non-Uniform 
Proof-of-Work scheme are mitigated at multiple levels. 



3 Implementing The SPAM Friction 
3.1 Integrating SPAM Friction Into The SMTP 

A Targeted-Cost Proof-of-Work system must see the the body of an email before it can 
decide whether to charge f or delivery. For this reason, it is not possible to incorporate 



it into the existing SMTP | Klensin , 200 ill . Specifically, while a receiving mail server 



''in theory, a particularly well organised Spammer could use an army of robots to send each successive 
refinement from a different IP address. However, the complexity of this arrangement, combined with the 
further increase in bandwidth requirements in order for the robots to coordinate their actions, would limit the 
value of this approach. 
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could use a 211 message to notify the sender that they must provide Proof-of-Work, 
there is no mechanism in SMTP that would allow the sender to deliver the Proof-of- 
Work receipt. Thus a new keyword would be required in SMTP, or an old one must 
take on a new meaning. The former seems preferable, since if the SMTP must be 
changed, then it should not be done crudely. I suggest the new keyword POW as the 
new keyword that is used to deliver a Proof-of-Work receipt to the receiving mail server. 
The following shows an example conversation using the new keyword: 

250 ESMTP Server Ready 
EHLO sending-mail.com 

250-receiving-mail.com Hello sending-mail.com [10.1.2.3] 
250-SIZE 52428800 
250-AUTH PLAIN LOGIN 
250-STARTTLS 

250-SPAMFRICTION ALGO, ALGl, ALG2 

250 HELP 

POW ISUPPORT ALGO, ALGl, ALG4 
250 OK 

MAIL FROM: sender@sending-mail.com 

250 OK 

RCPT TO: receiver@receiving-mail.com 

250 Accepted 

DATA 

354 Enter message, ending with "." on a line by itself 
Spam, spam, eggs and spam 

211 POW Required (SPAM) 0:21:892734982734987 
POW RECEIPT 0:21:892734982734987:193287436879263 

250 OK id=lHCVqn-000436-HX 

The POW command is issued in response to a 21 1 message that requests proof of work. 
The string 0:21:892734982734987isthe puzzle that the sender must solve, where is 
the algorithm number, 2 1 is the difficulty, and the long string of numbers the remainder 
of the problem specification. The response contains the puzzle concatenated with the 
solution strings. Otherwise, the conversation conforms to the SMTP. 

3.2 Transitional Considerations 

A critical issue for any changes to the SMTP, is that backward compatibility is retained. 
This is why the POW capability is issued using a 250 message, and the receiver is 
required to acknowledge if it also supports the capability. A legacy sender that does 
not support the capability makes no offer, alerting the receiver of the fact by its silence. 
Legacy senders would be handled by introducing a lengthly delay before offering to 
accept a message. To prevent abuse by spammers, a receiving mail server may take 
several courses of action when waiting for a Proof-of-Work receipt, or during the time 
out period when communicating with a legacy sender: a) refuse to accept additional 
connections from the same sending host; b) temporarily reject messages sent from the 
same sending host; c) accept additional messages, but increasing the delivery resistance 
in accordance with the number of messages in this state. In any case, it is possible to 
prevent Spammers from abusing the time out too much. More to the point, the time out 
still makes it harder to send SPAM than is currently the case. 
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Finally, for the scheme to be fully effective it would require participation by the 
majority of SMTP servers on the Internet. The interoperability with the existing SMTP 
just described helps to make it possible to progressively implement the scheme, with 
value increasing with each SMTP server that adopts it. Thus if the protocol was imple- 
mented in the major SMTP server software packages, then wide spread adoption would 
be possible. 

4 Conclusions 

In this paper I have argued that a Targeted-Cost Proof-of-Work scheme has the poten- 
tial to dramatically reduce SPAM volumes. Moreover, its requirements are modest: 
a) SPAM filters that are > 99.9% accurate (which akeady exist); b) relatively small 
changes to the SMTP and mail server software and configurations. The risk-benefit 
ratio is compelling: The chance to make SPAM 1,000 times harder to send than HAM, 
and limiting overall SPAM volumes to around 24 messages per sending computer per 
day. The obvious next step is to implement this system, including selecting at least one 
initial problem class, and assess its effectiveness. 
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